[Idr] SECURE-EVPN's IPsec SA Inheritance can be improved by the mechanism described by draft-dunbar-idr-sdwan-edge-discovery. Would you consider?
Linda Dunbar <linda.dunbar@futurewei.com> Mon, 10 August 2020 22:36 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944F33A0DC0; Mon, 10 Aug 2020 15:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFU7XVmkD8Xz; Mon, 10 Aug 2020 15:36:32 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2109.outbound.protection.outlook.com [40.107.236.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D7D3A0DCB; Mon, 10 Aug 2020 15:36:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=brcXbCR991merCBF3/78bzM88xMtghQ1AYi3V9a+fDG909JkXm9VEia04vQ1BM4FFuhkk0eVP/uevskcwFdZCzK0RC0ApWWNp5qJg+g1192rAbsgdHx9y2HeF2W4xTwyVJbyjE3KE0qWPoIlZNC4uVbUpsLcuunkrZVofOG8I5gDKZkdIFcepcnljULcLPlRjkdri5dFwSxjUijZ7nlg6gzU7Wlt4dowprviMsUqGkQPrAWuKV7mYqQLPT6EjSA1ddl93VOWVAxHcaPeGSVG9+fxxPYA6vfeu1z7+c1H8jQ6/JSLK/zM9amV6gDiQb2IbBM69shrYOiCHZBfBPfyvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nGHXt7hZzDvaFMVfucOwn+IzZgING6PLC4LGLrxP2wA=; b=gSgNvr2ZADzidMHZqqCsGF12huozMCxlF/FnOIyWysdGcj3wilpVeujlfawoU+KiHcXIs7JZmT7oYWjgAHpqzXIsAke2urgw0+Vrb2X9nUixPMLf+AqGcXpxad4GLQTjiwHRgy1enivsYD23cicIEVVpz/Lr6z4eExQ/jlcxB8ciGGMu4fiXBqu6GMk7aJon/Wcst8QOAI0s6HmZ8n5CTd6pRbzs724373E6NMaRBraR4OZT94HSNhdd+pyF2JH/3bY0tMAQaFDnJJ+f1lKZIZ3jQhGs/vDlGfatCZsRR4u/Pj0l9HGXUwb/obe0YM4xQg2w3TBYqw2zPowc58fXEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nGHXt7hZzDvaFMVfucOwn+IzZgING6PLC4LGLrxP2wA=; b=fiPTn6gudIxzd0IYHAzTG6Cdw0cTb2Vnkj4sn8N0AxUiFOSI3CPLjQXuLEa1bvx+VLfLCxAGlRIFz+HTJRuENWK1JBQwmZm8to1C1Te+h9sJIaA01B7d+Mt65QQYGcDMFwGd7WzvBTlP68y+fhj7fOCK5I9M+DPDfWSBwe4Tw2c=
Received: from SN6PR13MB2334.namprd13.prod.outlook.com (2603:10b6:805:55::16) by SN6PR13MB2335.namprd13.prod.outlook.com (2603:10b6:805:5d::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.10; Mon, 10 Aug 2020 22:36:28 +0000
Received: from SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::44e5:1f97:c5a9:4346]) by SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::44e5:1f97:c5a9:4346%3]) with mapi id 15.20.3283.014; Mon, 10 Aug 2020 22:36:28 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "Ali Sajassi (sajassi)" <sajassi@cisco.com>, "bess@ietf.org" <bess@ietf.org>, "idr@ietf.org" <idr@ietf.org>, "'shares@ndzh.com'" <shares@ndzh.com>
Thread-Topic: SECURE-EVPN's IPsec SA Inheritance can be improved by the mechanism described by draft-dunbar-idr-sdwan-edge-discovery. Would you consider?
Thread-Index: AdZvZq3MEjPXGCacSua7T00mVl6J8A==
Date: Mon, 10 Aug 2020 22:36:28 +0000
Message-ID: <SN6PR13MB233403BDCE3517D7F60F160E85440@SN6PR13MB2334.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fbefe3ae-6a09-4a3b-9b49-08d83d7dd2b5
x-ms-traffictypediagnostic: SN6PR13MB2335:
x-microsoft-antispam-prvs: <SN6PR13MB233574FE3A3FA00A70FE4EB685440@SN6PR13MB2335.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR13MB2334.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(39840400004)(136003)(396003)(376002)(2906002)(86362001)(186003)(83380400001)(52536014)(26005)(4743002)(5660300002)(66446008)(8936002)(6506007)(99936003)(66576008)(66476007)(53546011)(66946007)(64756008)(66556008)(166002)(7696005)(33656002)(316002)(478600001)(76116006)(8676002)(55016002)(9686003)(110136005)(44832011)(966005)(71200400001)(218113003)(491001); DIR:OUT; SFP:1102;
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_005_SN6PR13MB233403BDCE3517D7F60F160E85440SN6PR13MB2334namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR13MB2334.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fbefe3ae-6a09-4a3b-9b49-08d83d7dd2b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2020 22:36:28.6139 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: U3z9RyUtNPsNEx+1SM2fhOHUhYizI+N13YrVVCr/1l2BjfMW5QqD13FSPcHbI3lwI+C3RyY/Rs7aD1tokoBK3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR13MB2335
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/5QtizlcjSVKoFB0oPd3l-v8gsy8>
Subject: [Idr] SECURE-EVPN's IPsec SA Inheritance can be improved by the mechanism described by draft-dunbar-idr-sdwan-edge-discovery. Would you consider?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 22:36:36 -0000
Ali, et al: Your draft-sajassi-bess-secure-evpn-03 (the Section 4.1 Inheritance of Security Policies) has very stringent mapping for the SA Inheritance or “Recursive resolution” : “In the event, there are no security TLVs associated with an EVPN route, there is a strict order in the manner security associations are inherited for such a route. … If such [IPsec ] TLVs are missing with the associated route, then one checks to see if the subnets the IPs are associated with has security TLVs with the EVPN IMET route. If they are present, those associations are used in securing the traffic. In the absence of them, the peer security associations are used.” Here are some issues with this stringent mapping: * There could be multiple IPsec Security Associations between two Peers, as shown in the figure below, where the Purple SA terminate at the peer nodes, the Blue & Red SAs terminate at the WAN ports, and there could be more SAs that are terminated at the client specific routes. A user might have the policy to allow its Client route 10.1.1.x to be carried by either MPLS Path or the RED IPsec SA. [cid:image003.png@01D66F3C.C5D28F40] https://datatracker.ietf.org/doc/draft-dunbar-idr-sdwan-edge-discovery/ [BGP-Edge-Discovery] proposes client routes UPDATEs only include the IPsec SA identifiers (ID) to reference the IPsec SA attributes being advertised by separate Underlay Property BGP UPDATE messages. By referencing IPsec SA ID, instead of the detailed IPsec attributes Sub-TLVs, not only it makes the client routes UPDATE more compact (just an additional 4 bytes ID field), it also enables more flexible SA Inheritance, allowing client routes to be inherited by specific IPsec SA IDs. If a client route can be carried by more than one IPsec SAs or mixed IPsec & MPLS path, simply include multiple IPSec IDs, as shown in the following figure: [cid:image004.png@01D66F3C.C5D28F40] The [BGP-Edge-Discovery] differs from your [SECURE-EVPN] in how the information is included in the client routes. Your [Secure-EVPN] attaches all the IPsec SA information to the actual client routes, whereas the [BGP-Edge-Discovery] only includes the IPsec SA IDs for the client routes. The IPsec SA IDs used by [BGP-Edge-Discovery] is pointing to the IPsec SA Information which are advertised separately. [BGP-Edge-DISCOVERY] proposes underlay tunnel topology information and IPsec SA attributes are advertised in a separate BGP UPDATE with NLRI having an SAFI=74 (SDWAN SAFI) and a Tunnel Encapsulation attribute with tunnel type being SDWAN-Underlay. We think that reference IPsec SA ID is more efficient for SECURE-EVPN. Sincerely hope you consider our proposed approach. Thank you Linda Dunbar From: Ali Sajassi (sajassi) <sajassi@cisco.com> Sent: Monday, July 27, 2020 10:17 PM To: Susan Hares <shares@ndzh.com>; 'Hu, Jun (Nokia - US/Mountain View)' <jun.hu@nokia.com>; draft-sajassi-bess-secure-evpn@ietf.org; draft-dunbar-idr-sdwan-edge-discovery@ietf.org Cc: idr-chairs@ietf.org; bess-chairs@ietf.org; 'Alvaro Retana' <aretana.ietf@gmail.com>; martin.vigoureux@nokia.com; Ayan Banerjee (ayabaner) <ayabaner@cisco.com> Subject: Re: Drafts related to IPSec Tunnels - My follow upon IETF 105 - is an Analysis draft Hi Sue, We are planning in progressing secure-evpn draft. Regarding scale issues, there is an assumption in your draft that is not accurate and we discussed it in idr & rtgwg mailing lists June of last year. More specifically the assumption of sending tunnel attribute with client routes. Unless you need to setup a separate IPsec tunnel per client route, you SHOULD NOT send the tunnel attribute with the client routes. Instead, one of the inheritance schemes should be used for client routes. As I discussed in the idr/rtgwg mailing list in June/2019, there are three ways to do such inheritance and they are: 1. Recursive resolution 2. Coloring 3. Hierarchical The first two are described in tunnel-encap and the last one is described in secure-evpn. If it helps, I can add a section to secure-evpn to describe all three of them in one place. Regards, Ali From: Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>> Date: Tuesday, July 14, 2020 at 5:40 PM To: "'Hu, Jun (Nokia - US/Mountain View)'" <jun.hu@nokia.com<mailto:jun.hu@nokia.com>>, "draft-sajassi-bess-secure-evpn@ietf.org<mailto:draft-sajassi-bess-secure-evpn@ietf.org>" <draft-sajassi-bess-secure-evpn@ietf.org<mailto:draft-sajassi-bess-secure-evpn@ietf.org>>, "draft-dunbar-idr-sdwan-edge-discovery@ietf.org<mailto:draft-dunbar-idr-sdwan-edge-discovery@ietf.org>" <draft-dunbar-idr-sdwan-edge-discovery@ietf.org<mailto:draft-dunbar-idr-sdwan-edge-discovery@ietf.org>> Cc: "idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>" <idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>>, "bess-chairs@ietf.org<mailto:bess-chairs@ietf.org>" <bess-chairs@ietf.org<mailto:bess-chairs@ietf.org>>, 'Alvaro Retana' <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>, "martin.vigoureux@nokia.com<mailto:martin.vigoureux@nokia.com>" <martin.vigoureux@nokia.com<mailto:martin.vigoureux@nokia.com>> Subject: Drafts related to IPSec Tunnels - My follow upon IETF 105 - is an Analysis draft Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>> Resent-To: Cisco Employee <sajassi@cisco.com<mailto:sajassi@cisco.com>>, <ayabaner@cisco.com<mailto:ayabaner@cisco.com>>, <sthoria@cisco.com<mailto:sthoria@cisco.com>>, <carrel@cisco.com<mailto:carrel@cisco.com>>, <bew.stds@gmail.com<mailto:bew.stds@gmail.com>>, <jdrake@juniper.net<mailto:jdrake@juniper.net>> Resent-Date: Tuesday, July 14, 2020 at 5:40 PM Greetings: I’m looking to pick up on our work from IETF 105 on drafts that suggest new Sub-TLVs for the BGP tunnel encapsulation attribute. If you are interested in continuing your work and getting approval for your Sub-TLVs to be added to the list of approved Sub-TLVs for the BGP tunnel encapsulation attribute, please let me know. The BGP tunnel encapsulation draft is now at -16.txt after receiving Alvaro’s AD review. We’re about to go through a final round of discussion on the IDR list, and I’d like to make sure your proposed new Sub-TLVs fit with draft-ietf-idr-tunnel-encaps-16. If you do not wish to continue your work, I want to thank you again for your hard work at IETF 105. I felt each of the proposed solutions brought new valuable concepts to passing tunnels in formation for IPsec in BGP. Cheerily, Sue Details on the help I need ================================ After reviewing all the drafts at IETF 105 and seeing subsequent changes to drafts to address security issues, I have the impression that each draft had a targeted use case and a particular profile for security, privacy, being managed in a network, and scaling. I’ve written up my impressions in an analysis draft using use cases, and I’ve uploaded a part of this draft for public viewing. Before I upload the remainder of the analysis, I would like to chat with each author group and/or all authors together. I want to make sure my analysis is correct. The remaining part of the analysis looks at BGP Update scaling for UPDATE sizes for two scenarios. Scenario 1 is a small RR cluster (5 client routers)). Scenario 2 is a huge RR cluster (10K client routers). As far as I can tell, all 3 proposals can handle the small RR cluster scenario. The huge RR cluster scenario look far into the future to 5G/6G world that might use this technology. With 64K BGP messages and 10G links for RR clusters, the huge RR cluster is “doable” today on massive machines that do not forward traffic. If being a co-author helps you work on this analysis draft, please let me know.
- [Idr] SECURE-EVPN's IPsec SA Inheritance can be i… Linda Dunbar